Volume 18, Number 27 -- July 20, 2009

Criminal Enterprise or Legit Business? It Can Be Hard to Tell, Cisco Says

Published: July 20, 2009

by Alex Woodie

In its recently released mid-year security review, Cisco Systems makes the case that online criminals are using more sophisticated tools and methods of attack, and are increasingly using legitimate business techniques to mask their nefarious goals. A good example of this evolution was on display with Conficker, a worm that began circulating in late 2008 and that continues to infect computers to this day.

When Conficker surfaced late last year and blossomed into the biggest computer worm in more than five years, it took security experts a bit by surprise, according to Cisco, which documented the technology and techniques behind the Conficker outbreak in its mid-year security report.

Whereas many malware exploits of the past few years have concentrated "up the stack" on vulnerabilities in applications, the Conficker worm represented a shift "back to the future" by taking advantage of older vulnerabilities in Windows. Cisco said this "old school" approach worked well because most security professionals were concentrating up the stack on applications, particularly the popular new Web 2.0 apps.

Once infected with the Conficker worm, an afflicted PC becomes part of a "botnet" of infected computers that online criminals can use for their malicious purposes. In the case of Conficker, one of the ways the criminals made money was by renting the network of infected PCs to Waledcac, another botnet that utilized the processing and network power of Conficker's dirty work to spread "scamware." Scamware refers to a business model that relies on scared individuals to purchase software from the scammers in order to escape infection. This sharing of botnet resources represents a criminal adaptation of the software as a service (SaaS) model.

Conficker's hold on infected PCs started to crack when a group of more than 100 concerned organizations gathered together to create the Conficker Working Group. The group worked with computer security professionals (including those at Cisco) and the Internet domain naming organization ICANN to identify and root out domains that the Conficker botnet was using.

The collaborative approach to thwart Conficker worked and helped to "blunt the impact" of the worm, Cisco says. However, when the criminals behind Conficker realized their techniques had been discovered, they quickly shifted gears and tried different communication methods. While Conficker has been muted to some degree, it continues to spread. As of the end of June, there were still several million computer systems under its control, Cisco says, making Conficker the most prolific worm since the SQL Slammer attack of 2003.

The case of Conficker shows that vigilance must be maintained as computer criminals continue to adapt to changing circumstances. "We see many signs that criminals are mimicking the practices embraced by successful, legitimate businesses to reap revenue and grow their enterprises," says Tom Gillis, vice president and general manager of security products for Cisco.

Cisco also shared details of the inner-workings of a botnet. The company got a glimpse into the underworld phenomenon through conversations with a botnet-running criminal, which Cisco helped bring to justice. The criminal admitted to selling access to his botnet, which was created using instant messaging (IM) spam and associated malware, for 10 cents to 25 cents per infected node. That wasn't going to make the criminal (who claimed he needed the money to pay for antibiotics for a "sick child") very wealthy. The guys who made the really big bucks--up to $10,000 per week--were involved in phishing and identity theft scams.

Cisco asked the criminal why he chose of life of crime, and he responded that, due to his lack of a "decent education," he wasn't able to find an above-board job. "In this faltering economy," Cisco says, "one has to wonder if even well-educated IT experts with no criminal record will resort to illegal activities, since jobs are so scarce." (Cisco invites readers to a full-length report, Infiltrating a Botnet, at its Web site.)

Another example of the blending of the techniques of criminals and legitimate businessmen is the phenomenon known as "spamdexing." Just as legitimate companies will try to boost their search engine rankings through numerous techniques, such as adding a slew of keywords to the bottoms of their Web pages to get on more search indices, online ne'er-do-wells are also using these techniques to bolster their search results.

However, instead of getting legitimate Web pages or download when clicking through, the unsuspecting victims of spamdexing get a disk full of malware for their troubles. This approach is working because of the apparently innate human tendency to trust the top 10 results of a Google search more than the bottom 10 results.

While criminal outfits have been masquerading as legitimate groups since the dawn of time, use of the tactic is accelerating on the Internet, explains Patrick Peterson, Cisco fellow and chief security researcher.

"Securing the Internet has long been a moving target as criminals develop increasingly sophisticated ways to breach corporate networks and obtain valuable personal data," Peterson says. "What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen.

"They are collaborating with each other, preying on individuals' greatest fears and interests, and increasingly making use of legitimate Internet tools like search engines and the software-as-a-service model," Peterson continues. "Some also continue to succeed using well-documented methods that in recent years have been downplayed as threats given the preponderance of new tactics. With criminals being so quick to identify weaknesses both in online networks and in consumers' psyches, businesses need to adopt ever more advanced ways to fight cybercrime and remain vigilant across all attack vectors."

Other big areas of concern for security professionals are mobile devices. The rapidly growing popularity of mobile, network-connected devices is also proving irresistible to online criminals, Cisco reports. Since the start of the year, at least two or three new campaigns have surfaced every week targeting handheld mobile devices, says Cisco, which calls the 4.1 billion mobile phone subscriptions worldwide a "new frontier for fraud."

Disgruntled employees and malicious insiders are also taking their tolls on the health of the world's computer systems. Cisco detailed several examples of insider fraud this year, including an employee at the Federal Reserve Bank of New York, who, along with his brother, used stolen identities to receive $73,000 in student loans. The brother also used stolen identities for a boat loan in New Jersey, Cisco says. Also occurring in April was the case of a former employee of New York's Department of Taxation and Finance, who allegedly spent more than $200,000 on credit cards obtained using stolen personal data.

All is not doom and gloom, however, and Cisco reports several bright spots in the ongoing fight against computer fraud. The company reports a collaborative approach helped to stop the Srizbi/Reactor Mailer botnet, which had been one of the world's biggest spammers. A coordinated campaign helped to identify the company behind the Srizbi/Reactor Mailer botnet, and it was shut down in November. When the organization resurfaced in Estonia and tried to rebuild its network, it was subsequently disabled by Microsoft and its Malicious Software Removal Tool (MSRT), which it updates every Patch Tuesday.

Security experts simply need to work harder if they're going to keep up with their criminal counterparts. That is a huge challenge, especially as the lines between legitimate businesses and criminal enterprises continue to blur and attacks become increasingly sophisticated. On top of that, security pros must keep in mind all of the old vulnerabilities that are still out there (like the one Conficker exploited), while keeping an eye on the ever-present insider threat and complying with the ever-growing number of regulations.

Yeah, it's a tough, unforgiving job, with the greatest achievement occurring when nothing happens. So go give your organization's security guy or gal a big hug, because they probably need it.

A PDF of Cisco's 32-page Midyear Security Report can be downloaded at

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

*Spool File Mapping to Full Color PDF*

KeyesOverlay rapidly converts standard *SCS printer files into PDF documents,
in either black and white or full color. Individual documents, such as invoices or
Purchase Orders, can be prepared with overlays, and can include
things like Barcodes or MICR fonts.

KeyesOverlay can also be used to prepare large reports complete with
Bookmarks to aid the user in navigating sections.

Learn more at
or call 800 356 0203.

Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Brian Kelly, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Profound Logic Software:  Tune in to Profound Logic TV for FREE educational videos and tips
Maximum Availability:  *noMAX - Subscription edition now available (US & UK)
COMMON:  Celebrate our 50th anniversary at annual conference, May 2 - 6, 2010, in Orlando



IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95

Four Hundred Stuff
Cicero Evolves Application Integration through Desktop Automation

JDA Plots Course Forward for MMS, and--Surprise--It's Java

Phantom Targets UDO Customers Following Plasmon Bankruptcy

Free Tool from Linoma Detects Credit Card, Social Security Numbers

Bytware Adds Auditing to i OS Security Product

Four Hundred Guru
The Case of the Missing .NET Data Provider for i5/OS in Visual Studio 2008

Are MOVE and MOVEL Obsolete?

Restoring Spooled File Data After a System Restore

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
July 11, 2009: Volume 11, Number 28

July 4, 2009: Volume 11, Number 27

June 27, 2009: Volume 11, Number 26

June 20, 2009: Volume 11, Number 25

June 13, 2009: Volume 11, Number 24

June 6, 2009: Volume 11, Number 23

TPM at The Register
Sun shareholders approve Oracle deal

PCs do better than expected in Q2

The curious case of Sun's hardware biz

Bull to do homegrown Nehalem EX chipset

Nehalem and Atom save Intel's Q2 cookies

Microsoft hosts Feynman lecture series

Supers get greener

IBM drops Istanbuls into big Opteron box

Sun: Q4 sales to drop by a third, sees deeper losses

Nehalems make like elephants on HPC memory test

Microsoft and Citrix mix 'n' match fake desktops

FastScale deploys skinnied stacks to EC2

AMD delivers more six-shooter Istanbul Opterons

VMware copes with performance, chargeback anxiety


Infinite Software
ARCAD Software
Bsafe Information Systems
Computer Keyes
Twin Data

Printer Friendly Version

Sundry Power Systems i Storage Announcements

Servers Slammed in IBM's Second Quarter

IBM Sunsets More Power Systems Features

As I See It: Injured Wing

Fincham Rides Point for iManifest EMEA

But Wait, There's More:

IT Organizations Tuning Up Employee Recruitment Efforts . . . Sun Shareholders Vote to Sell to Oracle . . . IBM Cranks Out Power Systems i Redbooks . . . Criminal Enterprise or Legit Business? It Can Be Hard to Tell, Cisco Says . . . Pat Townsend Secure with New President . . .

The Four Hundred


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2009 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement